Information processing apparatus capable of controlling a document stored in a memory not to leak to a network not permitted to access and non-transitory computer readable medium

ABSTRACT

An information processing apparatus includes multiple network interfaces, multiple storage areas for saving data, an obtaining unit, and a presenting unit. The multiple network interfaces are connected to corresponding networks. For each of the multiple storage areas, a network interface permitted as an output path of the saved data is defined. The obtaining unit obtains network information indicating a network available to a group to which each user belongs. The presenting unit presents to a user a list of storage areas selectable as a data storage destination. The presenting unit presents a list of storage areas for which a network interface connected to a network available to the group to which the user belongs, which is indicated by the network information, is defined as the output path.

CROSS-REFERENCE TO RELATED APPLICATIONS

This is a continuation of U.S. patent application Ser. No. 16/558,170filed on Sep. 2, 2019, now allowed, which claims priority under 35 USC119 from Japanese Patent Application No. 2018-168450 filed Sep. 10,2018, the entire disclosures of which are incorporated herein byreference.

BACKGROUND (i) Technical Field

The present disclosure relates to an information processing apparatusand a non-transitory computer readable medium.

(ii) Related Art

Among information processing apparatuses, there is a type capable ofsimultaneously connecting to a plurality of networks via a plurality ofnetwork interfaces. This type of information processing apparatus may beconnected to both of a first network that handles highly confidentialdata and a second network that handles not confidential data. Forexample, in the case where the information processing apparatus is anexpensive device such as a digital multifunctional peripheral (MFP), itmay be advantageous in terms of cost for the information processingapparatus to be able to be shared by the first network and the secondnetwork. In such a case, after data handled on the first network issaved in a storage area in that information processing apparatus, thatdata may happen to leak from the storage area to the second network.

Japanese Patent No. 5511332 discloses a system in which, on receipt by aprint control apparatus of a job via any network, the print controlapparatus identifies the network via which the job has been received,adds information on the identified network as an attribute value of thejob, and, when saving the job in an image forming apparatus, stores thenetwork information added as the attribute value of the job in amanagement table and manages the network information along with the job.In response to a request from a terminal apparatus to obtain data savedin a hard disk drive (HDD), reference is made to the management table toadd network information to the data. It is determined whether or not atransmission condition is satisfied on the basis of the networkinformation and transmission destination network information. When thetransmission condition is satisfied, the data is transmitted.

For example, in the case where an information processing apparatus thatis capable of simultaneously connecting to a plurality of networks via aplurality of network interfaces and that may be connected to both of afirst network that handles highly confidential data and a second networkthat handles not confidential data is an expensive device such as adigital MFP, it may be advantageous in terms of cost for the informationprocessing apparatus to be able to be shared by the first network andthe second network. In such a case, after data handled on the firstnetwork is saved in a storage area in that information processingapparatus, that data may happen to leak from the storage area to thesecond network. As one method of avoiding such circumstances, forexample, it is conceivable to provide a dedicated storage area forsaving data from the first network in the information processingapparatus, setting an attribute regarding an output path to the storagearea, and controlling an output of data in the storage area inaccordance with the attribute. In the above-described example, it isconceivable to set, as the attribute of the storage area, an attributeindicating that a network interface for the first network is permittedas the output path of data in that storage area but a network interfacefor the second storage area is not permitted. Using this method, even inresponse to an instruction to output data saved in that storage area viaa network interface for the second network, that instruction is notexecuted under control that refers to that attribute.

The case is conceived in which, in an information processing apparatus(such as an MFP) shared by a plurality of users, a plurality of storageareas for different users or different purposes of use are operated. Inthis case, a user finds a storage area that suits his/her purpose from adisplayed list of these storage areas, and specifies that storage areaas a data storage destination. Here, it is assumed that the outputattribute of the storage area specified by the user as the storagedestination does not permit an output of data in that storage area to anetwork to which a personal computer (PC) at the user's desk isconnected. In this case, if data is saved in that storage area, the userbecomes unable to download that data to the PC at the user's desk.

SUMMARY

Aspects of non-limiting embodiments of the present disclosure relate topreventing a user from selecting, as a data storage destination, astorage area from which data is not permitted to be output to a networkavailable to the user.

Aspects of certain non-limiting embodiments of the present disclosureovercome the above disadvantages and/or other disadvantages notdescribed above. However, aspects of the non-limiting embodiments arenot required to overcome the disadvantages described above, and aspectsof the non-limiting embodiments of the present disclosure may notovercome any of the disadvantages described above.

According to an aspect of the present disclosure, there is provided aninformation processing apparatus including a plurality of networkinterfaces, a plurality of storage areas for saving data, an obtainingunit, and a presenting unit. The plurality of network interfaces isconnected to corresponding networks. For each of the plurality ofstorage areas, a network interface permitted as an output path of thesaved data is defined. The obtaining unit obtains network informationindicating a network available to a group to which each user belongs.The presenting unit presents to a user a list of storage areasselectable as a data storage destination. The presenting unit presents alist of storage areas for which a network interface connected to anetwork available to the group to which the user belongs, which isindicated by the network information, is defined as the output path.

BRIEF DESCRIPTION OF THE DRAWINGS

An exemplary embodiment of the present disclosure will be described indetail based on the following figures, wherein:

FIG. 1 is a diagram illustrating an example of a network environment towhich an MFP to which processing according to an exemplary embodiment ofthe present disclosure is applied is connected;

FIG. 2 is a diagram illustrating an example of the internalconfiguration of the MFP;

FIG. 3 is a diagram illustrating an example of a mechanism forcontrolling a document saved in a box not to leak to a network notpermitted for security reasons;

FIG. 4 is a diagram illustrating an example of the data structure ofinput/output path access right information;

FIG. 5 is a diagram illustrating an example of box input/outputinformation using the input/output path access right informationillustrated in FIG. 5;

FIG. 6 is a diagram illustrating an example of a process performed by aninput/output controller in response to an instruction for a box that isgiven from a local user interface (UI);

FIG. 7 is a diagram illustrating an example of a process performed bythe input/output controller in response to an instruction for a box thatis given from a remote computer (network);

FIG. 8 is a diagram illustrating another example of the data structureof the input/output path access right information;

FIG. 9 is a diagram illustrating an example of box input/outputinformation using the input/output path access right informationillustrated in FIG. 8;

FIG. 10 is a diagram illustrating an example of the data structure ofinput/output path access right information including the item“unspecified-case information”;

FIG. 11 is a diagram illustrating an example of the apparatusconfiguration according to the exemplary embodiment for presenting ascreen for selecting a storage destination box;

FIG. 12 is a diagram illustrating an example of the details of a boxmanagement table;

FIG. 13 is a diagram illustrating an example of the details of a usermanagement table;

FIG. 14 is a diagram illustrating an example of information on boxessuitable as a document storage destination for each user, which aredetermined from the box management table and the user management table;

FIG. 15 is a diagram illustrating an example of a box selecting screen;

FIG. 16 is a diagram illustrating another example of the box selectingscreen;

FIG. 17 is a diagram illustrating an example of document storagedestination options presented to each user;

FIG. 18 is a diagram illustrating an example of a box management tableincluding information on a box for an unregistered user according to afirst modification;

FIG. 19 is a diagram illustrating an example of the functionalconfiguration of a main controller according to the first modification;

FIG. 20 is a diagram illustrating an example of a group management tableaccording to a second modification;

FIG. 21 is a diagram illustrating an example of a user information tableaccording to the second modification;

FIG. 22 is a diagram illustrating an example of the functionalconfiguration of the main controller according to a third modification;

FIG. 23 is a diagram illustrating an example of the user managementtable according to the third modification;

FIG. 24 is a diagram illustrating an example of settings of the type ofpurpose of each network according to a fourth modification; and

FIG. 25 is a diagram illustrating an example of a screen for selectingthe type of purpose of box storage according to the fourth modification.

DETAILED DESCRIPTION Example of Apparatus Configuration

FIG. 1 is a diagram illustrating an example of a network environment towhich a multi-functional peripheral (MFP) 100 to which processingaccording to an exemplary embodiment of the present disclosure isapplied is connected.

In this example, the MFP 100 includes three network interfaces, and isconnected to three different networks, namely, local area network (LAN)1, LAN 2, and Wi-Fi (registered trademark), via these networkinterfaces, respectively. A computer 200 such as a personal computer(PC) or a mobile terminal on each network exchanges data with the MFP100 via a network to which the computer 200 is connected. Note that anMFP is an apparatus that has a combination of functions of a printer, ascanner, a copy machine, a fax machine, and the like.

FIG. 2 illustrates an example of the internal configuration of the MFP100. The MFP 100 includes a scanner 101, a printer 103, a fax machine105, a display apparatus 107, a non-volatile storage device 109, a maincontroller 110, and network interfaces 120-1, 120-2, and 120-3(hereinafter may collectively be referred to as “network interfaces 120”when it is not necessary to distinguish between them).

The scanner 101 optically reads an image of a document and generatesimage data representing the image. The printer 103 prints an imagerepresented by image data on paper. Cooperation of the scanner 101 andthe printer 103 realizes copying. The fax machine 105 transmits/receivesfaxes. The display apparatus 107 is an apparatus that displays a screenfor a user interface (UI) of the MFP 100. In this example, the displayapparatus 107 is configurated as a touchscreen apparatus, and servesalso as an input apparatus (however, this is only one example). Thenon-volatile storage device 109 is a storage device that holds itsmemory even when the power is turned off, and a hard disk drive (HDD)and flash memory are one example of the non-volatile storage device 109.

The main controller 110 is a device that controls the operation of theMFP 100, and includes a computer that performs data processing and acontrol program executed by the computer. The main controller 110receives a user input on a UI screen displayed on the display apparatus107 and controls the scanner 101, the printer 103, the fax machine 105,and/or the like in accordance with the input, thereby realizingprocessing designated by the user. In addition, the main controller 110is connected to networks via the network interfaces 120-1, 120-2, and120-3, and exchanges instructions and data with computers on thenetworks. In the example illustrated in FIGS. 1 and 2, it is assumedthat the network interface 120-1 is connected to LAN 1; the networkinterface 120-2 is connected to LAN 2; and the network interface 120-3is connected to a network via Wi-Fi. For the following description, itis assumed in this example that at least LAN 1 and LAN 2 are differentnetworks. In addition, it is assumed that a network to which the MFP 100is connected via Wi-Fi is connected to LAN 1.

The MFP 100 has the function of saving image data, print data describedin a page description language, and electronic document data such asfiles generated by various applications (hereinafter may simply bereferred to as “documents”) in the non-volatile storage device 109.

The MFP 100 may create a plurality of document storage areas. There isno particular restriction on a specific system for realizing a storagearea. For example, each storage area may be a folder managed by a filesystem of the main controller 110, or may be a logic partition or alogic drive set to the non-volatile storage device 109. In addition, aplurality of non-volatile storage devices 109 (physical drives) may beprovided in the MFP 100, and each of the physical drives may be definedas a different storage area. In addition, the above-described exemplarytypes of storage areas may be combined and used. Hereinafter, eachstorage area will be figuratively referred to as a “box”. In order torestrict a user(s) who is/are permitted to access each box, a passwordmay be set to the box, or each user's access right to a box may bedefined using an access control list.

The main controller 110 has the function of controlling an input(storage, accumulation) and an output (retrieval) of a document to/fromsuch a box.

A document (image data) generated by scanning performed by the scanner101, a document received by the fax machine 105, and a document inputvia a network are saved in a box. In addition, a document saved in a boxmay be output in forms such as a print output from the printer 103,transmission by the fax machine 105, and transmission via a network.

The MFP 100 illustrated by way of example in FIG. 1 is connected to aplurality of different networks, and these networks may have differentsecurity requirements. For example, an example of such a case is that,in an office, a section that handles highly confidential data and asection that handles no confidential data are separated to prevent staffbelonging to the latter section from accessing highly confidential datavia a network. Even in such a case, it may be difficult to install anexpensive MFP 100 for each section, and one MFP 100 may be shared by aplurality of sections. In such a case, the MFP 100 is connected to anetwork of a section with strict security requirements (referred to as a“first section” for convenience) and to a network of a section with notstrict security requirements. To satisfy the security requirements ofthe former section, it is necessary to prepare a box dedicated for theformer section as a box (storage area) in the MFP 100, and to preventleakage of a document saved in this box to a network of the lattersection.

For example, a network of the first section and a network of anothersection different from the first section may happen to use the samenetwork address as a private Internet Protocol (IP) address. In such acase, it is unable to restrict access to a box in the MFP 100 or torestrict transfer of a document in a box using the IP address. As acountermeasure, for example, in transmission of a document in a box, auser who gives an instruction to transmit the document specifies anetwork interface 120 via which the document is transmitted, therebypreventing leakage of a document in that box to an unexpected network.However, it is difficult for general users to specify a networkinterface 120 via which a document is transmitted, and it is highlylikely that the user is perplexed or selects a wrong network interface120.

Therefore, in this system, a mechanism is provided for controlling adocument saved in a box not to leak to a network not permitted forsecurity reasons. Hereinafter, this mechanism will be described.

FIG. 3 illustrates a group of functions included in the main controller110 for this mechanism. A box memory 111 stores information on one ormore boxes, and information on a document saved in each box. Aninput/output controller 113 controls an input (storage) or an output(transfer, print, etc.) of a document to/from the box memory 111.

An input/output destination determination unit 115 determines an inputsource of inputting an operation instruction or a document to a box, andan output destination of a document in a box. The input source of anoperation instruction for a box includes a local UI (that is, thedisplay apparatus 107) and an apparatus on a network. An apparatus on anetwork communicates with the main controller 110 via a correspondingone of the plurality of network interfaces 120. Therefore, theinput/output destination determination unit 115 determines from which ofthe local UI and the plurality of network interfaces 120 the operationinstruction that has arrived comes from. Similarly, in response to aninput of a document to a box, the input/output destination determinationunit 115 determines which of the local scanner 101, the local faxmachine 105 (fax reception), and the plurality of network interfaces 120the input source is. In response to an instruction to output a documentin a box, the input/output destination determination unit 115 determineswhich of the local printer 103, the local fax machine 105 (faxtransmission), and the plurality of network interfaces 120 the outputdestination is.

A box authentication unit 117 authenticates a user to access a box, andauthenticates an arriving document to be input (saved) in a box. Thisauthentication is performed using, for example, a password set to a boxof interest being operated or to which a document is input. That is, inthe case where a user tries to start operating a box, the user is askedto enter a password. In the case where a correct password is entered inresponse to this, the user is permitted to operate the box. In addition,on receipt of a fax reception addressed to a box, in the case where apassword accompanying the received document matches a password set tothat box, the document is permitted to be accumulated in that box. Inaddition, in the case where an access control list is set to a box, auser authentication mechanism (not illustrated) performs userauthentication on a user who is trying to operate the MFP 100, and thebox authentication unit 117 permits the user identified by the userauthentication to operate the box within the scope of authoritypermitted by that access control list of the box. For example, in thecase where a user is permitted to accumulate and print a document in thebox but is not permitted to transfer a document in the box via fax or anetwork, a transfer instruction given from the user is not permitted. Inthe case where no password is set to a box and no access control isperformed using an access control list, a user is permitted to performall types of operations on that box (note that the user is subjected tolater-described operation restrictions in accordance with an inputsource or an output destination of a document in the box according tothe user operation).

A management information memory 119 holds management information usedfor control performed by the input/output controller 113 for aninput/output to/from a box. The held management information includes boxinput/output information indicating whether an input/output from/to eachinput source/output destination is permitted according to each box. Thebox input/output information defines, for example, for each box, aninput source permitted to input an operation instruction or a documentto that box or an output destination to which a document in that box ispermitted to be output. In this case, an input from an input source andan output to an output destination whose permissions are not defined inthe box input/output information are not permitted. Alternatively,instead of defining a permitted input source and output destination, thebox input/output information may define a not-permitted input source andoutput destination. In this case, an input from an input source and anoutput to an output destination whose non-permissions are not defined inthe box input/output information are permitted. In addition, the boxinput/output information is not limited to one that separately definesan input source and an output destination, and may be one that defines,for a certain source (or network interface 120), both an input to and anoutput from a box are permitted or not permitted.

In addition, from the viewpoint of prevention of unintended leakage of adocument in a box, there may be no need to restrict an input (storage)of a document to a box. In such a case, it may only be necessary for thebox input/output information to define a permitted output destination ofa box (or a not-permitted output destination of a box). As in theabove-described example in which the MFP 100 is connected to a pluralityof different networks with different security requirements, when adocument from a network with strict security requirements is accumulatedin a box from which an output to a network with loose securityrequirements is permitted, there is a risk of leakage to the latternetwork via that box. In such a case, the box input/output informationalso defines the input source.

In addition, a local input/output of the MFP 100 (i.e., an input/outputnot via a network), that is, storage of a document obtained by scanning,fax, and the like in a box, a print output and fax transmission of adocument in a box, and so forth are basic functions of the MFP 100, andthese functions may be permitted by default. In a few specific examplesdiscussed below, it is assumed that a local input/output to/from a boxis permitted. In this case, the box input/output information definespermission or non-permission of an input and an output via each networkinterface 120.

The input/output controller 113 refers to management information such asthe box input/output information held in the management informationmemory 119, and controls an input and an output of a document to andfrom each box in the box memory 111.

Next, a process performed by the input/output controller 113 will bedescribed using a specific example.

FIGS. 4 and 5 illustrate input/output path access right information andbox input/output information held in the management information memory119, used in one specific example. This example is an example in thecase where the MFP 100 is connected to three networks, namely, LAN 1,LAN 2, and Wi-Fi illustrated in FIG. 1 (via three network interfaces 120corresponding to LAN 1, LAN 2, and Wi-Fi, respectively).

The input/output path access right information illustrated in FIG. 4 isinformation that defines a network group. This information includes anetwork group identification (ID) and network interface information thatcorresponds to the network group ID. A network group ID is an ID foruniquely defining a network group. Network interface information is alist of IDs of network interfaces constituting a network group with thenetwork group ID. In the example illustrated in FIG. 4, “group 1” isconstituted of only the network interface 120 named “LAN 1” (and anetwork connected thereto); and “group 5” is constituted of two networkinterfaces 120 named “LAN1” and “Wi-Fi”. This group information is usedto represent a group permitted to input/output a document to/from a boxin the box input/output information illustrated by way of example inFIG. 5. Although “group 4” has “none” for the value of the networkinterface information, this is used in the case where no input/output ofa document to/from a box via a network interface 120 is permitted atall. In addition, “group 5” is used in the case of, for example,handling a document that complies with the same or similar securityrequirements on networks connected to “LAN 1” and “Wi-Fi”. In the casewhere this group is associated with a box, a document handled in (thatis, saved in or output from) that box is limited to one communicatedusing LAN 1 and Wi-Fi.

The box input/output information illustrated in FIG. 5 defines, for eachbox in the box memory 111, the ID of a network group permitted toinput/output a document to/from that box. That is, in the exampleillustrated in FIGS. 4 and 5, a network interface 120 belonging to anetwork group associated with a box is permitted as both an input pathand an output path for that box.

In the example illustrated in FIG. 5, a box named “box 1” (box ID is“001”) is associated with group 1. Therefore, for this box 1, aninput/output via a network interface 120 with the ID “LAN 1” belongingto group 1 is permitted, but an input/output via other networkinterfaces 120 is not permitted. That is, the permission mode of aninput/output of a document to/from box 1 via a network is as follows:

1) Document storage via LAN 1 is permitted;2) Document storage via LAN 2 or Wi-Fi is not permitted;3) Document output (retrieval and transfer) via LAN 1 is permitted; and4) Document output via LAN 2 or Wi-Fi is not permitted.

Since a local input/output is permitted by default in this example,storage of a document obtained by scanning and fax reception in box 1and an output of a document in box 1 by printing and fax transmissionare permitted.

In this manner, the example illustrated in FIGS. 4 and 5 is one inwhich, for each box, a network permitted to use that box is defined. Inthis example, one that is permitted to use a box via a network (that is,one that is permitted to operate that box, permitted to save a documentin that box, permitted to retrieve a document in that box, or permittedto be a transfer destination of that document) is limited to anapparatus on a network belonging to a network group associated with thatbox. Therefore, boxes in the MFP 100 shared by a plurality of networksmay be separated according to each network. Also in this example, for adocument saved in a box locally (that is, from the scanner 101 or thefax machine 105), box input/output information of that box is appliedwhen retrieving that document from a remote computer or transferringthat document to a remote computer. Therefore, leakage of a documentsaved in a box locally to an unintended network via that box is alsoprevented.

Referring next to FIGS. 6 and 7, an example of a procedure executed bythe input/output controller 113 will be described.

FIG. 6 illustrates an example of a process performed by the input/outputcontroller 113 in the case where a certain box on a screen of a local UI(display apparatus 107) is specified by a user as an operation target.In this case, the input/output controller 113 causes the boxauthentication unit 117 to perform access authentication processing forthat box (S10). In the case where a password is set to that box, the boxauthentication unit 117 displays a password entry screen on the UI andasks the user to enter a password. In the case where a password enteredby the user in response to this matches the password set to that box,the box authentication unit 117 determines that the authentication issuccessful. Alternatively, in the case of a system of controlling accessto a box using an access control list based on user authentication, thebox authentication unit 117 causes a user authentication organization(not illustrated) to perform login authentication on the user, and, inthe case where the login authentication is successful, obtains the userID of the user from the user authentication organization. Whether or notthe user ID has any access right to that box (such as the right to saveor retrieve a document in that box) is determined from the accesscontrol list of that box. In the case where the user has any accessright to that box, the box authentication unit 117 determines that theauthentication in step S10 is successful; and, in the case where theuser does not have any access right at all, the box authentication unit117 determines that the authentication is unsuccessful. The input/outputcontroller 113 determines whether or not the authentication performed bythe box authentication unit 117 is successful (S12).

In the case where the authentication performed by the box authenticationunit 117 is unsuccessful, the input/output controller 113 displays anerror screen indicating that an operation on the specified box isunexecutable on the local UI (S14), and ends the process.

In the case where the authentication performed by the box authenticationunit 117 is successful, the input/output controller 113 determineswhether or not an instruction given from the user regarding that box isan instruction to perform an operation to transfer a document in thatbox via a network (S16). For example, in the case where a transferoperation using a network transfer protocol such as the File TransferProtocol (FTP) or the Simple Mail Transfer Protocol (SMTP) is given, theresult of the determination in step S16 is yes (affirmative). Incontrast, in the case where an operation other than transfer via anetwork, such as a printout or fax transmission of a document in thebox, or storage of a scanned document in the box, is given, the resultof the determination in step S16 is no (negative).

In the case where the result of the determination in step S16 is no(negative), the input/output controller 113 executes processingdesignated by the user (S18). For example, in the case where the userhas given an instruction to perform an operation to save a scanneddocument in the box, the input/output controller 113 receives a documentgenerated by the scanner 101 and saves the document in the box in thebox memory 111.

In the case where the result of the determination in step S16 is yes(affirmative), the input/output controller 113 causes the input/outputdestination determination unit 115 to determine which network interface120 an output path to a transfer destination of transfer (transmission)designated by the user is. The input/output destination determinationunit 115 may perform this determination by, for example, determiningwhich network, ahead of which network interface 120, has the address(such as the IP address) of the transfer destination. The input/outputcontroller 113 refers to the management information memory 119 anddetermines whether or not a network interface 120 determined by theinput/output destination determination unit 115 is permitted, in the boxinput/output information, as an output path of a document in that box(S20). In the case of the example illustrated in FIGS. 4 and 5, theresult of the determination in step S20 is yes (affirmative) in the casewhere the network interface 120 is included in a network groupassociated with that box; and the result of the determination in stepS20 is no (negative) in the case where the network 120 is not includedin a network group associated with that box.

In the case where the result of the determination in step S20 is no(negative), the input/output controller 113 displays an error screenindicating that the designated operation is unexecutable on the local UI(S14), and ends the process.

In the case where the result of the determination in step S20 is yes(affirmative), the input/output controller 113 transfers a documentspecified as a target to be transferred to the specified transferdestination (S22).

FIG. 7 illustrates an example of a process performed by the input/outputcontroller 113 in the case where a user has given an instruction toperform an operation on a box from a remote computer connected via anetwork to the MFP 100. An operation on a box from a remote computerincludes, for example, storage of a document in the box (that is,uploading of a document from the computer to the box), retrieval of adocument in the box (downloading of a document in the box to thecomputer), and displaying of a screen for operating the box.

In this case, the input/output controller 113 causes the boxauthentication unit 117 to perform access authentication processing forthat box (S30). In the case where an instruction given from the remotecomputer is an instruction to save a document in that box, the boxauthentication unit 117 checks whether or not a password set to that boxis included in that document storage instruction, and determines thatthe authentication is successful in the case where the password isincluded, and determines that the authentication is unsuccessful in thecase where the password is not included. On receipt of a request toaccess a box from a remote user, the box authentication unit 117 asksthe user to enter a password of the box, and, in the case where thecorrect password is entered in response to this, determines that theauthentication is successful. Alternatively, in the case of a system ofcontrolling access to a box using an access control list, like the caseillustrated in FIG. 6, in the case where the user authentication issuccessful, the box authentication unit 117 obtains the user ID of auser whose login has been successful from the user authenticationorganization, and determines whether or not that user ID has any accessright to that box from the access control list of that box. In the casewhere the user has any access right to that box, the box authenticationunit 117 determines that the authentication in step S30 is successful.

In the case where the authentication performed by the box authenticationunit 117 is unsuccessful, the input/output controller 113 displays errorinformation indicating that an operation on the specified box isunexecutable on a remote apparatus that has given the instruction (S34),and ends the process.

In the case where the authentication performed by the box authenticationunit 117 is successful, the input/output controller 113 determineswhether or not an instruction given from the remote user regarding thatbox is an instruction to save (upload) a document in that box or toretrieve (download) a document in that box (S36).

In the case where the result of the determination in step S36 is no(negative), the input/output controller 113 executes processingdesignated by the user (S40). For example, in the case where the userinstruction is to display an operation screen in that box, informationon that operation screen is transmitted via a network to that user'scomputer.

In the case where the result of the determination in step S36 is yes(affirmative), the input/output controller 113 causes the input/outputdestination determination unit 115 to determine which network interface120 a path that has received the remote user instruction is. Theinput/output controller 113 refers to the management information memory119 and determines whether or not a network interface 120 determined bythe input/output destination determination unit 115 is permitted, in thebox input/output information, as an input or output path of a documentin that box (S38). In this determination, in the case of a documentstorage instruction, whether or not the determined network interface 120is permitted as an input path is determined; and, in the case of adocument retrieval instruction, whether or not that network interface120 is permitted as an output path is determined. In the case of theexample illustrated in FIGS. 4 and 5, because no distinction is madebetween an input and an output, the result of the determination in stepS38 is yes (affirmative) in the case where the network interface 120 isincluded in a network group associated with that box; and the result ofthe determination in step S40 is no (negative) in the case where thenetwork 120 is not included in a network group associated with that box.

In the case where the result of the determination in step S38 is no(negative), the input/output controller 113 returns error informationindicating that the designated operation is unexecutable to the remoteuser's computer (S34), and ends the process. In the case where theresult of the determination in step S38 is yes (affirmative), theinput/output controller 113 executes the operation designated by theuser, such as storage of a document in the box or retrieval of adocument in the box (S40).

In the procedure illustrated in FIG. 7, on receipt of an instructionfrom a remote computer to perform an operation on a box, it isdetermined whether or not the operation according to the instruction ispermitted from a combination of the instruction and a network to whichthe computer is connected. However, this order of the instruction andthe determination is only one example. Alternatively, when a useraccesses a box in the MFP 100 from a remote computer, the input/outputcontroller 113 may determine whether or not, for that computer, an inputor an output of a document to or from that box is permitted, and maydisplay a not-permitted operation in an unselectable state on theoperation screen (that is, a state in which that operation isunselectable on the screen).

According to the process illustrated in FIG. 7, in the case where a useraccesses a box from a remote computer, even in the case where the userhas the right to access that box, if that computer is on a network notpermitted to be used for inputting or outputting a document to or fromthat box, storage or retrieval of a document in that box isunexecutable. Note that, even in this case, operations on that boxwithin a certain range, other than document storage or retrieval, may bepermitted. In addition, in the case where a computer accessing a box islocated on a network not permitted to be used for inputting oroutputting a document to or from that box, even displaying of a screenfor operating that box may not be permitted.

Referring next to FIGS. 8 and 9, another example of the box input/outputinformation held in the management information memory 119 will bedescribed.

FIG. 8 is a diagram illustrating an example of the input/output pathaccess right information in this example. This input/output path accessright information is, unlike the example illustrated in FIG. 4,separately defined for an input path and an output path. That is, theinput/output path access right information illustrated in FIG. 8 definesone or more patterns of a combination of an input-permitted path and anoutput-permitted path. An input-permitted path is one or more networkinterfaces 120 permitted as an input path(s) of a document to that box,and an output-permitted path is one or more network interfaces 120permitted as an output path(s) of a document in that box. For example,pattern 3 permits three network interfaces 120, namely, LAN 1, LAN 2,and Wi-Fi, as input paths to that box, but does not permit any networkinterface 120 as an output path (“none”). This means that any documentin that box is not permitted to be output via a network at all.

The box input/output information illustrated in FIG. 9 defines, for eachbox in the box memory 111, the pattern ID of input/output access rightinformation set to that box.

In the example illustrated in FIG. 9, box 1 (box ID is “001”) isassociated with pattern 1. Therefore, for this box 1, document input(storage) via two network interfaces 120, LAN 1 and Wi-Fi, and documentoutput via LAN 1 are permitted. Therefore, in the case of the MFP 100connected to LAN 1, LAN 2, and Wi-Fi illustrated by way of example inFIG. 1, the permission mode of an input/output of a document via anetwork for box 1 is as follows:

1) Document storage via LAN 1 or Wi-Fi is permitted;2) Document storage via LAN 2 is not permitted;3) Document output (retrieval and transfer) via LAN 1 is permitted; and4) Document output via LAN 2 or Wi-Fi is not permitted.

Pattern 1 associated with this box 1 is useful in the case where,although networks to which LAN 1 and Wi-Fi are connected handledocuments that require similar security, LAN 1 has higher security thanWi-Fi. That is, because an input of a document to box 1 is one time onlyfor that document, the risk of leakage is low when an input is permittedfrom both LAN 1 and Wi-Fi; however, because document output is performedmultiple times for one document, the risk of leakage is reduced bypermitting only LAN 1, which is considered to have a lower risk ofleakage than Wi-Fi.

In addition, in the case of box 3 to which pattern 3 is set, the mode ofpermission of an input/output of a document via a network is as follows:

1) Document storage via LAN 1, LAN 2, or Wi-Fi is permitted; and2) Document output (retrieval and transfer) via LAN 1, LAN 2, or Wi-Fiis not permitted.

Although all of the patterns illustrated by way of example in FIG. 8have only one network interface 120 permitted as an output-permittedpath, a plurality of network interfaces 120 may be set asoutput-permitted paths.

A control procedure performed by the input/output controller 113 on thebasis of the input/output path access right information and the boxinput/output information illustrated by way of example in FIGS. 8 and 9may be the same as or similar to the procedures illustrated in FIGS. 6and 7.

Next, an example of controlling an output of a document in a box usingunspecified-case information will be described.

There is a case in which a plurality of network interfaces 120 permittedas document output paths are set for a box. For example, in the casewhere there is a box to which group 5 illustrated in FIG. 4, this boxcorresponds to this case. In the case of transferring a document in sucha box via a network, there is a case in which the document istransferrable to the transfer destination using any of the plurality ofnetwork interfaces 120 set as output paths. In this case, unless a userwho gives a transfer instruction explicitly specifies a networkinterface 120 that serves as a path for transferring the document, thedocument is transferred via a network interface 120 selected by anoperating system from among the plurality of network interfaces 120.However, as in the above-discussed relationship between LAN 1 and Wi-Fi,although a plurality of network interfaces 120 set to a box as pathspermitted to output a document are connected to the same network, one ofthese network interfaces 120 may be superior to another in terms of therisk of leakage of transferred data. In this case, a network interface120 selected by the operating system from among the plurality of networkinterfaces 120 is not always better in terms of the risk of leakage.

Although the case in which the user does not specify a network interface120 that serves as a path for transferring a document has been discussedabove by way of example, for example, in the case of applying aprocessing flow including document transfer (one example is aspecification disclosed in Japanese Unexamined Patent ApplicationPublication No. 2013-138284) to a box, the name, address, and so forthof an apparatus at the transfer destination are described in theprocessing flow, but a network interface via which the document istransferred is not defined in many cases. Therefore, the same or similarsituation may occur in the case of using the processing flow on a box.

To prevent such a situation, unspecified-case information may be set toa box in this example. In the case of transferring a document in a boxvia a network, if a user, a processing flow, or the like does notexplicitly specify a network interface 120 serving as the output path,unspecified-case information defines a network interface 120 used as theoutput path.

FIG. 10 illustrates an example in which the item “unspecified-caseinformation” is added to the input/output path access right informationillustrated in FIG. 4. The network interface 120 indicated in the item“unspecified-case information” is selected from among a plurality ofnetwork interfaces 120 indicated in the item “network interfaceinformation”. In the illustrated example, document storage andretrieval/transfer via LAN 1 and Wi-Fi is permitted for a box to whichgroup 6 is set. In the case where a network interface 120 via which adocument in the box is transferred is not specified by the user or thelike in a document transfer instruction, the input/output controller 113selects LAN 1 defined in the unspecified-case information as a path forthe transfer according to the instruction.

With such control, in the case where a network interface 120 that servesas a path for transferring a document in a box is not explicitlyspecified, a network interface 120 that is inferior in terms of the riskof leakage is prevented from being selected by the operating system asthe path.

In the above-described example, in the case where a network interface120 via which a document in a box is transferred and which is explicitlyspecified by the user is not permitted as an output path in boxinput/output information of that box, the input/output controller 113does not perform the transfer, and responds to the user that thetransfer is unexecutable.

Although FIG. 10 illustrates the input/output path access rightinformation illustrated in FIG. 4 with the addition of the item“unspecified-case information”, the item “unspecified-case information”may be added to the input/output path access right informationillustrated in FIG. 8 for the operation.

Exemplary Embodiment of UI Control

An exemplary embodiment of UI control for a box will be described.Reference is made to the exemplary network environment in which the MFP100 is installed, which is illustrated in FIG. 1. In this exemplaryembodiment, the configuration of the MFP 100 and processing of the boxinput/output control may be the same as or similar to theabove-described examples discussed with reference to FIGS. 2 to 10.

FIG. 11 illustrates the functional configuration of major units of themain controller 110 of the MFP 100 according to this exemplaryembodiment. FIG. 11 explicitly illustrates a UI unit 150 in theconfiguration illustrated in FIG. 3. The UI unit 150 is a processor thatprovides a UI of the MFP 100 to the user. The UI unit 150 preparesvarious UI screens for operating various functions of the MFP 100. Inthis exemplary embodiment, control of a UI screen provided to the userwho saves (stores) a document in a box will be particularly described.

A user who uses the MFP 100 is often restricted to one or a few networksavailable to the user in accordance with, for example, the user's job orthe place of the user's desk. For example, a network to which a desktopPC at the user's desk is physically connected is determined. Inaddition, in the case where a terminal used by the user is a mobileterminal such as a notebook PC, a network that the user is permitted tolog in and a network that the user is not permitted to log in may bedetermined in accordance with the user's job or the like.

In contrast, as has been described so far, box input/output informationis associated with each box in the box memory 111. A document saved in abox may be output to a network corresponding to an output-permitted pathdefined in that box's box input/output information.

Therefore, if a user carelessly selects a box for saving a document, theuser may select a box from which the document is not permitted to beoutput via a network available to the user. In the case where the userstores a document in such a box, the user becomes unable to obtain thatdocument via a network that the user uses.

To this end, this exemplary embodiment provides a UI for preventing auser from erroneously storing a document in a box from which thedocument is not permitted to be output via a network available to theuser. The UI unit 150 refers to information stored in a managementinformation memory 119A and provides such a UI. Information stored inthe management information memory 119A for this purpose is illustratedby way of example in FIGS. 12 and 13.

FIG. 12 illustrates a box management table indicating box input/outputinformation. In the box management table in this example, a networkinterface (IF) permitted as a path for inputting/outputting a documentto/from a box is registered in association with the ID (identificationinformation) of that box. Note that the box input/output information mayseparately define an input-permitted path and an output-permitted pathfor a box, as illustrated in FIGS. 8 and 9. FIG. 13 illustrates a usermanagement table that holds information on a network available to auser. In this table, identification information of a network availableto a user is registered in association with the ID of that user. Forexample, the user “User 2” is permitted to connect to LAN 2 and Wi-Fi inthe network environment illustrated in FIG. 1. Note that the same nameis used for the identification name of a network interface included inthe MFP 100 and the identification name of a network to which thatnetwork interface is connected.

A user is permitted to retrieve a document in a box to a terminal on anetwork available to the user in the case where that network (and anetwork interface connected to that network) is permitted as anoutput-permitted path of that box. To this end, the UI unit 150provides, as a UI screen for selecting a box that serves as a documentstorage destination, a screen on which it is easy to identify a box fromwhich a document is permitted to be retrieved to a terminal on a networkavailable to the user.

To generate such a UI screen, the UI unit 150 refers to the boxmanagement table (see FIG. 12) and the user management table (see FIG.13) stored in the management information memory 119A, and identifies abox from which a document is permitted to be output to a networkavailable to that user as a box suitable as a document storagedestination for that user. For example, in the case of a combination ofthe box input/output information illustrated in FIG. 12 and the networkinformation illustrated in FIG. 13, boxes suitable as a document storagedestination for each user are such as those illustrated in FIG. 14. Forexample, boxes suitable as a document storage destination for the user“User 2” are “Box-B”, “Box-C”, and “Box-D”, which include at least oneof “LAN 1” and “Wi-Fi”, which are networks available to the user, as anoutput-permitted path.

In the case where an instruction to save a document in a box is input tothe MFP 100 via a network, that document is input from that network to abox in the MFP 100 and saved in that box. Therefore, a box permitted asa storage destination in response to that storage instruction isrestricted to one that has that network (and a network interfaceconnected to that network) as an input-permitted path. Therefore, inresponse to a storage instruction from a network, the condition that therequirement “box suitable as a document storage destination” includesthat network as an input-permitted path is added. That is, a “boxsuitable as a document storage destination” in response to a storageinstruction from a network is a box from which a document is permittedto be output via a network available to that user, and is a box thatincludes, as an input-permitted path, a network interface that hasserved as an input path of that storage instruction.

The UI unit 150 provides, as a UI screen for selecting a box that servesas a document storage destination, a screen that distinguishablydisplays a box suitable as a document storage destination for that user(that is, a box from which a document is permitted to be output via anetwork available to that user) from other boxes.

In one example, as illustrated in FIG. 15, the UI unit 150 provides to auser a box specification screen 300 that displays only boxes suitable asa document storage destination for that user as a list of storagedestination options. The example illustrated in FIG. 15 illustrates, forthe MFP 100 to which the box management table illustrated in FIG. 12 andthe user management table illustrated in FIG. 13 are applied, an exampleof the box specification screen 300 provided in the case where the user“User 1” gives an instruction to save a scanned document in a box. Onthis box specification screen 300, the box ID and the box name of boxessuitable as a document storage destination for “User 1” (see FIG. 14)are displayed in the form of a list. In this example, radio buttons 302indicating selection are provided in the box ID field. The box name of abox is a name given to that box by a user who has the right to name thatbox, such as the owner of that box (for example, a person who hasperformed an operation to open that box). Referring to the box names,the user selects a box that serves as the current document storagedestination. The user sets a box that serves as a storage destination tothe selected state by, for example, touching the radio button 302 ofthat box, and presses a “confirm” button 304 to confirm the selection ofa box that serves as a storage destination.

In addition, a box specification screen 300A in another exampleillustrated in FIG. 16 includes not only boxes suitable as a documentstorage destination for the user, but also includes other boxes as alist of options. In this list, boxes suitable as a document storagedestination for the user and boxes that are not suitable aredistinguishably displayed. The example illustrated in FIG. 16 ispresented in the case where the user “User 1” gives an instruction tosave a document, like the case illustrated in FIG. 15. In the list ofoptions, boxes (Box-A and Box-D) suitable as a document storagedestination are displayed with higher luminance than other boxes (Box-Band Box-C) so as to stand out. The box specification screen 300A in theillustrated example has a field for indicating whether or not each boxis permitted to output a document to a terminal on a network availableto that user such that options with high luminance and options with lowluminance are distinguishable. For Box-A and Box-D, the value in thisoutput-permitted/not permitted field is set to “permitted”; and for theremaining two boxes, the value is set to “not permitted”. Looking at thedisplayed box specification screen 300A, the user selects either ofBox-A and Box-D when, for example, the user has a plan to retrieve thesaved document to a terminal on a network. The display distinctionbetween boxes suitable as a document storage destination and other boxesis not restricted to luminance or displaying permitted/not permitted, asdiscussed in the above example. Alternatively, for example, the color orfont size may be made different.

Note that box options displayed in the form of a list on the boxspecification screen 300A may be, in one example, all the boxes providedin the MFP 100. In another example, in the case where each user's rightto access each box is set, a group of boxes that a user who has given adocument storage instruction has the right to access is displayed asoptions.

Although options for the storage destination box displayed on the boxspecification screens 300 and 300A are in the form of a list in theexample illustrated in FIGS. 15 and 16, the form of displaying optionsis not restricted to a list form. Alternatively, for example, a screenin the form of displaying the icons of boxes that are options in theform of a matrix may be used.

FIG. 17 summarizes an example of displaying, on the MFP 100, options fora box that serves as a document storage destination on the basis of abox management table 160 illustrated by way of example in FIG. 12 and auser management table 162 illustrated by way of example in FIG. 13. Theexample illustrated in FIG. 17 is an example in the case where onlyboxes suitable as a document storage destination for each user aredisplayed as options in the form of a list. In the case where the user“User 1” gives, for example, an instruction to a panel of an operationunit (the display apparatus 107 which is a touchscreen, for example) ofthe MFP 100 to perform the type of scanning that saves the result ofscanning in a box, Box-A and Box-D are displayed as options in the formof a list on the touchscreen (display apparatus 107) of a console of theMFP 100. In addition, in the case where the user “User 1” accesses theMFP 100 from a terminal 200 on a network connected to the networkinterface LAN 1 and gives an instruction to save a document, Box-A andBox-D are displayed as storage destination options on the terminal 200.These options are boxes that have the network interface LAN 1 via whichthe storage instruction has passed through as an input-permitted path,and, at the same time, are boxes that have the network (LAN 1) availableto “User 1” who has given the instruction as an output-permitted path.In addition, in the case where the user “User 2” gives an instructionfrom the operation panel of the MFP 100 or from the terminal 200 on anetwork c to use a function involving storage of a document in a box,Box-B, Box-C, and Box-D are presented as storage destination options.

Although the example in which the box management table 160 and the usermanagement table 162 are held in the MFP 100 (management informationmemory 119) has been described in the above-described exemplaryembodiment, this is only one example. These tables may be held in amanagement server 250 on a network accessible from the MFP 100. Althoughthe management server 250 is provided on a network b connected to thenetwork interface LAN 2 in FIG. 17, this is only one example.

First Modification

Next, a first modification will be described.

In order for a user to use a mechanism of the above-described exemplaryembodiment, the user needs to be registered in the MFP 100 (or a systemthat manages users for using the MFP 100). Therefore, in order for aperson who does not belong to an organization in which the MFP 100 isinstalled (such as a visitor to that organization) to use thatmechanism, that person needs to be registered as a user, which isbothersome.

To this end, the first modification proposes a system that copes with auser who is not registered (unregistered user). In this system, a boxfor an unregistered user is provided in the box memory 111. In the casewhere a user who is operating the MFP 100 is an unregistered user (suchas in the case where that user is using the MFP 100 without logging in),the UI unit 150 presents, on a UI screen for document storage, that boxfor an unregistered user as a storage destination option. On this UIscreen, a group of boxes for registered users is not displayed asoptions. An unregistered user is allowed to select only that box for anunregistered user.

Box input/output information may be set to this box for an unregistereduser, like general boxes, and an input/output between the box and anetwork may be controlled in accordance with the box input/outputinformation. In this case, the input-permitted path and theoutput-permitted path of that box are determined by taking networksecurity into consideration. For example, the input-permitted path andthe output-permitted path of that box at least do not include a networkthat handles confidential documents (such as LAN 1 and Wi-Fi in FIG. 1).In addition, in the case of the policy that a network for business isinaccessible to outsiders, the MFP 100 is connected to an externalnetwork available to outsiders, and a network interface of that networkis set as the input-permitted path and the output-permitted path of thatbox. For example, in a box management table illustrated by way ofexample in FIG. 18, the box “Box-Z” prepared for an unregistered user isassociated with a network interface for such an external network(Wi-Fi2).

For example, in the case where an unregistered user gives an instructionfrom the local UI (display apparatus 107 or the like) of the MFP 100 toperform scanning which involves box usage, the box for an unregistereduser is presented to that user as a storage destination. A documentwhich is the result of scanning executed in response to this instructionis saved in that box. The input/output controller 113 permits retrievalof a document in that box from a network of an output-permitted pathassociated with that box, but does not accept retrieval of a document inthat box from other networks.

Such a box for an unregistered user may be fixedly provided or may beestablished on demand.

In the latter case (on demand), for example, as illustrated in FIG. 19,in the case where the UI unit 150 of the main controller 110 receives aninstruction from a user who is not logged in (that is, an unregistereduser) to execute a function that uses a box, such as the type ofscanning that saves the result of scanning in a box, the UI unit 150sends an instruction to a box-for-unregistered-user management unit 152to generate a box for an unregistered user. On receipt of theinstruction, the box-for-unregistered-user management unit 152 newlyestablishes a box for an unregistered user in the box memory 111. The UIunit 150 presents to that user a UI screen indicating that box for anunregistered user as a box selectable as a usage destination, and, onreceipt of an instruction from that user to use that box, executes thedesignated function. In the case where there is already a box for anunregistered user at the time of receipt of an instruction to execute afunction that uses a box, no new box may be generated, and the existingbox may be presented to the user as a storage destination.

In addition, the box-for-unregistered-user management unit 152 maydelete the established box for an unregistered user at a time point atwhich it is determined that the use of that box has ended. Here, whetherthe use of the box for an unregistered user has ended may be determinedas follows. For example, it may be determined that the use of the boxestablished in response to an instruction from an unregistered user hasended when, after a document such as the result of scanning is saved inthat box, the document is retrieved from the box and the box becomesempty. Alternatively, when there is no user access to an established boxfor an unregistered user (for example, there is no instruction from alocal or remote UI to save a document or to transfer or retrieve a saveddocument) for a certain period of time or longer (so-called time out),it may be determined that the use of that box has ended.

Second Modification

In the above-described exemplary embodiment and first modification,networks available to users in units of individuals are set (see theuser management table illustrated in FIG. 13). However, this systemuselessly consumes resources for control and involves a great burden formaintaining the user management table. To this end, networks availableto users in units of groups may be set in a second modification.

In the second modification, a group management table (see FIG. 20) and auser information table (see FIG. 21) are held in the managementinformation memory 119. In the group management table, for each usergroup, identification information of a network available to users whobelong to that group is registered in association with the ID of thatgroup. In the user information table, the ID of a user group to whicheach user belongs is registered in association with the ID of that user.These tables are maintained by the administrator of the MFP 100 or thelike.

On receipt of an instruction from a user to execute a function (such asscanning) that involves storage of a document in a box, the UI unit 150determines a group to which the user belongs from the user informationtable (see FIG. 21), and identifies a network available to that groupfrom the group management table (see FIG. 20). The UI unit 150 refers tothe identified information and the box input/output information of eachbox (such as the box management table (see FIG. 12)), and identifies abox from which a document is permitted to be output to a networkavailable to that user as a box suitable as a document storagedestination for that user. The UI unit 150 provides, as a UI screen forselecting a box that serves as a storage destination, a screen thatdistinguishably displays one or more boxes from which a document ispermitted to be output via a network available to that user from otherboxes.

Third Modification

In a third modification, the UI unit 150 uses a user's past history ofusing a box to control displaying of a box serving as a candidate for astorage destination on a UI screen for selecting the current documentstorage destination. To do so, the main controller 110 includes a usagehistory recording unit 154, which records each user's history of using abox, as illustrated in FIG. 22.

In one example, the usage history recording unit 154 records, for eachuser, information on a box that the user last used. For example, asillustrated in FIG. 23, the user management table in the managementinformation memory 119 has, in addition to information on a networkavailable to each user, the item “box (that the user) last used”. Everytime a user uses a box, the usage history recording unit 154 updates theitem “box last used” of the user in the user management table to thecurrently used box.

Note that what type of operation is regarded as “use” in the history ofusing a box is set in advance. For example, storage of a document in abox may be regarded as “use”, an output or retrieval of a document in abox may be regarded as “use”, or both of them may be regarded as “use”.In addition, an operation of opening a box (that is, an operation ofdisplaying a screen that shows a list of documents saved in a box) maybe included in the range of “use”.

In this example, on receipt of an instruction from a user to execute afunction that involves storage of a document in a box, the UI unit 150determines, from information of the user management table and the boxmanagement table (FIG. 13) of the above-described exemplary embodiment,boxes suitable as a storage destination for that user, which aredisplayed on the UI screen. The UI unit 150 displays, on the UI screenon which the determined “boxes suitable as a storage destination for theuser” are arranged as options, the “box (that the user) last used” (thatis, the box that the used “last time” in view of the current storage) ina way distinguishable (such as to stand out) from other options. Forexample, the “box last used” may be displayed in a color different fromthe other boxes, or may be displayed with emphasis using a special markor with higher luminance than the other boxes, or using a combination ofthem.

In another example, the usage history recording unit 154 records, foreach user, history information indicating when and which box the userhas “used” (what type of operation is regarded as “use” has been set asdescribed above). The UI unit 150 refers to a user's history informationin the case of generating a UI screen for selecting a document storagedestination for the user. That is, as in the above-described exemplaryembodiment, the UI unit 150 identifies boxes suitable as a storagedestination, and, in the case of displaying a list of a group of theidentified boxes, displays, for example, a box that the user most oftenuses with emphasis, which is obtained from the history information.Alternatively, the UI unit 150 displays a group of the identified boxesin the order of the frequency of use.

Fourth Modification

In a fourth modification, a user is prompted to select the purpose ofsaving a document in a box, and boxes that serve as storage destinationoptions are narrowed down in accordance with the purpose.

To do so, as illustrated by way of example in FIG. 24, in the managementinformation memory 119, for each network (which is identified by theidentification name of a corresponding network interface) to which theMFP 100 is connected, the type of purpose of the network is registered.The purpose of the network here is the purpose of using a group ofdocuments handled on that network. Several types of purposes of thenetwork are prepared, such as “for confidential documents” and “forgeneral documents”, and one or more types among these types areassociated with each network.

In response to an instruction from a user to save a document in a box,the UI unit 150 presents to the user a purpose selecting screen 320,which is illustrated by way of example in FIG. 25, and prompts the userto select on that screen the type of purpose of saving a document. Thepurpose selecting screen 320 indicates a purpose type option group 322,and the user selects the current purpose from the option group. The UIunit 150 identifies boxes suitable as a storage destination for the userfrom the user management table (FIG. 12) and the box management table(FIG. 13). The UI unit 150 extracts, from the identified group of boxes,only one or more boxes that have a network associated with the type ofpurpose selected by the user as an output-permitted path, and presentsto the user a screen for selecting the storage destination from amongthe extracted boxes serving as options.

Although the exemplary embodiment and modifications according to thepresent disclosure have been described so far, the exemplary embodimentand modifications are merely one example of realizing the presentdisclosure.

The main controller 110 of the MFP 100 discussed by way of example abovemay be realized by, for example, causing a computer included in the MFP100 to execute a program that represents the functions of the functionmodules in each apparatus. Here, the computer has a circuitconfiguration in which, for example, as hardware, a processor such as acentral processing unit (CPU), memory (primary storage) such asrandom-access memory (RAM) and read-only memory (ROM), a hard disk drive(HDD) controller that controls an HDD, various input/output (I/O)interfaces, and a network interface that controls connection with anetwork such as a LAN are connected via bus. In addition, for example, adisk drive for reading and/or writing data from/to removable diskrecording media such as a compact disc (CD) and a digital versatile disc(DVD), a memory reader/writer for reading and/or writing data from/toremovable non-transitory recording media of various standards such asflash memory, and so forth may be connected to the bus via an I/Ointerface. A program describing the details of processing of thefunction modules discussed above by way of example is saved in a fixedstorage device such as an HDD via a recording medium such as a CD or aDVD or via communication means such as a network, and installed in acomputer. The program stored in the fixed storage device is read out toRAM and executed by a processor such as a CPU, thereby realizing a groupof the function modules discussed above by way of example.

The foregoing description of the exemplary embodiment of the presentdisclosure has been provided for the purposes of illustration anddescription. It is not intended to be exhaustive or to limit thedisclosure to the precise forms disclosed. Obviously, many modificationsand variations will be apparent to practitioners skilled in the art. Theembodiment was chosen and described in order to best explain theprinciples of the disclosure and its practical applications, therebyenabling others skilled in the art to understand the disclosure forvarious embodiments and with the various modifications as are suited tothe particular use contemplated. It is intended that the scope of thedisclosure be defined by the following claims and their equivalents.

What is claimed is:
 1. An information processing apparatus comprising: aplurality of network interfaces connected to corresponding networks; aplurality of storage areas for saving data, for each of which a networkinterface permitted as an output path of the saved data is defined; anda processor, configured to obtain network information indicating anetwork available to a group to which each user belongs; and present toa user a list of storage areas selectable as a data storage destination,and present a list of storage areas for which a network interfaceconnected to a network available to the group to which the user belongs,which is indicated by the network information, is defined as the outputpath.
 2. The information processing apparatus according to claim 1,wherein, in a case where no network available to the group to which theuser belongs is registered in the network information, the processor isconfigured to present to the user a storage area for an unregistereduser as a storage area selectable as a data storage destination.
 3. Theinformation processing apparatus according to claim 2, wherein theprocessor is further configured to generate, in a case where no networkavailable to the group to which the user belongs is registered in thenetwork information, the storage area for an unregistered user, whereinthe processor is configured to present to the user the storage area foran unregistered user generated by the processor.
 4. The informationprocessing apparatus according to claim 3, wherein the processor isfurther configured to delete the storage area for an unregistered usergenerated by the generating unit after use of the storage area hasended.
 5. The information processing apparatus according to claim 3,wherein: a network for an unregistered user is determined in advance,and the processor is further configured to define a network interfaceconnected to the network for an unregistered user as an output path ofdata stored in the generated storage area for an unregistered user. 6.The information processing apparatus according to claim 1, wherein: theprocessor is further configured to obtain information indicating thegroup to which each user belongs, and the network information indicatesa network available to each group, and the processor is furtherconfigured to determine, from the network information, a networkavailable to the group to which the user belongs, and presents a list ofstorage areas for which a network interface connected to the determinednetwork is defined as the output path.
 7. The information processingapparatus according to claim 1, further comprising: the processor isfurther configured to record information on a storage area that the userused in the past, wherein the processor is further configured to controlan order or a mode of displaying storage areas in the list on the basisof the information on a storage area that the user used in the past,which is recorded in the recording unit.
 8. The information processingapparatus according to claim 1, wherein: for each of the plurality ofstorage areas, a network interface permitted as an input path of data tobe saved in the storage area is defined, and in a case where the user isaccessing the information processing apparatus via a network, thepresenting unit presents a list of storage areas for which a networkinterface connected to the network via which the user is accessing isdefined as the input path and for which a network interface connected toa network available to the group to which the user belongs, which isindicated by the network information, is defined as the output path. 9.The information processing apparatus according to claim 1, wherein: atype of purpose is associated with each network, the informationprocessing apparatus further comprises a unit that accepts an input of atype of purpose of saving data, and the presenting unit presents a listof storage areas for which a network interface connected to a networkthat is available to the group to which the user belongs, which isindicated by the network information, and that is associated with theaccepted type of purpose is defined as the output path.
 10. Anon-transitory computer readable medium storing a program causing acomputer including a plurality of network interfaces connected tocorresponding networks to: Provide a plurality of storage areas forsaving data, for each of which a network interface permitted as anoutput path of the saved data is defined; obtain network informationindicating a network available to a group to which each user belongs;and present to a user a list of storage areas selectable as a datastorage destination, and present a list of storage areas for which anetwork interface connected to a network available to the group to whichthe user belongs, which is indicated by the network information, isdefined as the output path.
 11. An information processing apparatuscomprising: a plurality of network interfaces connected to correspondingnetworks; a plurality of storage areas for saving data, for each ofwhich a network interface permitted as an output path of the saved datais defined; obtaining means for obtaining network information indicatinga network available to a group to which each user belongs; andpresenting means for presenting to a user a list of storage areasselectable as a data storage destination, the presenting meanspresenting a list of storage areas for which a network interfaceconnected to a network available to the group to which the user belongs,which is indicated by the network information, is defined as the outputpath.